SamSam
SamSam ransomware is a custom infection used in targeted attacks, often deployed using a wide range of exploits or brute-force tactics. Based on our own run-ins with the infection, we’ve observed that attacks were made on targets via vulnerable JBoss host servers during a previous wave of SamSam attacks in 2016 and 2017. In 2018, SamSam uses either vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers to gain access to the victims’ network or brute force against weak passwords to obtain an initial foothold. From there, the ransomware “fun and games” begin for the authors. For everyone else, it’s chaos. Payload A common thread tying all of these attacks together is the use of the word “sorry” in ransom notes, URLs, and even infected files. Here’s what the ransom splash screen says: What happened to your files? All your files encrypted with RSA-2048 encryption, for more information search in Google “RSA encryption” How to recover files? RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key. How to get private key? You can get your private key in 3 easy steps: 1) You must send us 0.8 Bitcoin for each affected PC or 4.5 Bitcoins to receive all private keys for all affected PCs. 2) After you send us 0.8 Bitcoin, leave a comment on our site with this detail: just write your host name in your comment 3) We will reply to your comment with a decryption software, you should run it on your affected PC and all encrypted files will be recovered With buying the first key you will find that we are honest The SamSam has started by first causing trouble in 2016, and starting to regularly increase the cost of their ransom in 2017. Colorado and Atlanta have both been hit hard by SamSam. History January, 2016 Hospitals, city municipalities, and many more from Indiana to New Mexico were all infected with this ransomware, in varying degrees of severity. A hospital in Indiana, in particular, was reduced to working with pen and paper in stormy weather. They decided to pay the ransom and get systems back up and running, given the cost of the fix was more than the ransom. This is an organization that had backups in place, unlike many other ransomware victims. All the same, by attacking a service offering life-saving treatment to patients, staff were left with few options. This is the already fraught situation healthcare professionals and departments responsible for day-to-day management of city services find themselves in as we head into February. February, 2018 In February, the Colorado Department of Transportation had to shut down 2,000 (non critical) systems as they were infected with SamSam. Bitcoin was once again what the hackers were after; the CDT decided that they weren’t going to pay up, but restore their backups instead. March, 2018 SamSam caused great destruction for the city of Atlanta, as many buildings in Atlanta were infected with this ransomware. The City of Atlanta is currently experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information. We will post any updates as we receive them. pic.twitter.com/kc51rojhBl — City of Atlanta, GA (@Cityofatlanta) March 22, 2018 They were faced with the prospect of paying $6,800 per machine to unlock the encrypted files, or $51,000 to recover everything across all compromised computers. As to how the attackers got in, one researcher noted a potential EternalBlue route: C’mon @Cityofatlanta… SMBv1 open on web.atlantaga.gov to the internet? Have we learned nothing!?#ransomware #Atlantapic.twitter.com/t35SalTcEE — Reggie (@Ring0x0) March 23, 2018 Ten days after initial infection, they were still struggling to get back to full strength, with no less than five out of 13 departments hit in the original attacks. Just like the Indiana hospital staff were forced to use pen and paper, so too were law enforcement in Atlanta—and they also lost some police records in the bargain. Three city council members of Atlanta were forced to use a personal laptop at work, which could already have personal information such as credit card information on it. All though the ransomware was “only” $51,000, the ransomware authors pulled the payment page and left Atlanta carrying the can. Ultimately, the SamSam outbreak cost the city of Atlanta a terrifying $2.6 million dollars to set a $50k infection right. References https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/ Category:Ransomware Category:Microsoft Windows Category:Win32 Category:Win32 ransomware Category:Assembly